Doctor Web experts have detected Cynos malware (Android.Cynos.7.origin) in the official app store for Huawei devices, AppGallery. In total, Cynos-infected applications (usually games) were installed more than 9.3 million times.
The researchers write that Android.Cynos.7.origin is one of the modifications of the Cynos software module, which is designed to be embedded in Android applications in order to monetize them.
This platform has been known since at least 2014. Some of its versions have rather aggressive functionality: they send SMS messages to premium numbers and intercept incoming SMS, download and launch various modules, and download and install other applications.
In the new version found in AppGallery, the main functions are collecting information about users and their mobile devices, as well as displaying ads.
Cynos was found in 190 games featured in the AppGallery catalog. Among them are various simulators, platformers, arcades, strategies and shooters with the number of installations from several thousand to several million. In total, they were downloaded by at least 9,300,000 users (the number of installations was calculated based on the download values for each application published in AppGallery).
Some of the games targeted Russian-speaking audience, had localized Russian-language titles and descriptions. Others targeted a Chinese or international audience.
In order for the Trojan to gain access to certain data, when infected applications are launched, Trojan asks users for permission to control phone calls.
If the necessary rights are obtained, the Trojan collects and transmits the following information to the remote server:
- user’s mobile phone number;
- device location, which is determined based on GPS coordinates or data from a mobile network and a Wi-Fi access point (if the application has permission to access location determination);
- various parameters of the mobile network, such as network code, mobile country code, and if you have permission to access the location, the ID of the base station and the international ID of the location area;
- various technical characteristics of the device;
- various parameters from the metadata of the application into which the trojan is embedded.
Although the leakage of information about a mobile number may seem at first glance to be a minor problem, experts write that in reality it can lead to serious negative consequences for users, especially given the fact that children were the main target audience of infected applications.
As a reminder, we also wrote about SharkBot Android Trojan Steals Cryptocurrency and Hacks Bank Accounts.